Still trying to progress this issue; would appreciate any input/help.
It looks like a threading issue in Axis2 in that there are these calls:
Our custom receiver code (when WLS) simply calls: super.invokeBusinessLogic(messageContextIn,
messageContextOut);
which then invokes:
org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(MessageContext,
MessageContext)
org.apache.axis2.receivers.AbstractMessageReceiver.getTheImplementationObject(MessageContext)
org.apache.axis2.receivers.AbstractMessageReceiver.makeNewServiceObject(MessageContext)
org.apache.axis2.rpc.receivers.ejb.EJBUtil.makeNewServiceObject(MessageContext)
The call to makeNewServiceObject starts a new (EJBClientWorker) thread that makes the usual
RMI/EJB calls (similar to what we do with Axis 1.4); to summarize:
org.apache.axis2.rpc.receivers.ejb.EJBUtil$EJBClientWorker.createRemoteEJB
org.apache.axis2.rpc.receivers.ejb.EJBUtil$EJBClientWorker.getEJBHome
Creates Property object for Context.SECURITY_PRINCIPAL, Context.SECURITY_CREDENTIALS,
Context.INITIAL_CONTEXT_FACTORY, & Context.PROVIDER_URL
org.apache.axis2.rpc.receivers.ejb.EJBUtil.EJBClientWorker.getContext(Properties)
- new InitialContext(properties)
org.apache.axis2.rpc.receivers.ejb.EJBUtil.EJBClientWorker.getEJBHome(InitialContext,
String) - context.lookup(beanJndiName)
Object ehome = javax.rmi.PortableRemoteObject.narrow(ejbHome, cls);
Method createMethod = cls.getMethod("create", empty_class_array);
return createMethod.invoke(ehome, empty_object_array);
It appears that from this thread WebLogic does the JAAS authentication, calling our login
module's login() method and successfully authenticating; but, then ending the thread and returning
back to the RPCMessageReceiver.invokeBusinessLogic() thread where it calls org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(AxisMessage,
Method, Object, String, OMElement, MessageContext) that calls java.lang.reflect.Method.invoke(Object,
Object...) and then falls over because of the WebLogic error: EJB:010160]Security Violation:
User: '<anonymous>' has insufficient permission to access EJB.
So would this be failing because the create EJB call is where WebLogic is invoking the authentication
and it's done in a different thread to the service method invocation and thus WebLogic doesn't
see the EJB invocation as authenticated? Any ideas about this; does this analysis seem correct?
Is anyone else successfully using Axis2 with WebLogic and a login module? Would seem hard
to customize this in a general way.
Thanks,
William
From: William Walsh
Sent: Thursday, April 22, 2010 4:08 PM
To: java-user@axis.apache.org
Subject: Differences in WLS security with Axis 1.4 versus Axis2
Is anyone aware of how/why WebLogic is showing us differences between Axis 1.4 and Axis2 in
how security is being processed on invocation of a service?
For Axis 1.4 we have our own provider that extends org.apache.axis.providers.java.RPCProvider,
which in its invokeMethod method sets up a properties object to create a new InitialContext,
calls PortableRemoteObject.narrow, calls the EJB create() method, and then calls invoke on
the service method(), which works fine with WLS.
For Axis2 it looks like this same functionality is provided in EJBUtils.java and RPCUtils.java;
so, we're extending org.apache.axis2.rpc.receivers.ejb.EJBMessageReceiver and in our invokeBusinessLogic
method, for WLS, we just invoke super.invokeBusinessLogic(messageContextIn, messageContextOut),
which results in this error:
[ERROR] [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission
to access EJB: type=<ejb>, application=TestModel, modu
le=FacadeModule.jar, ejb=Axis2DocWebServiceTestBPO, method=simpleAdd, methodInterface=Remote,
signature={int,int}.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:194)
at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:102)
at curam.util.connectors.axis2.CuramMessageReceiver.invokeBusinessLogic(CuramMessageReceiver.java:54)
at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:114)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:173)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
The jndiUser and jndiPassword parameters in services.xml and server-config.wsdd are equivalent
and are both against same WLS system, same ear, different war files.
I have added runAs code to our Receiver for the WLS JAAS configuration with some success;
but we never had to do this for Axis 1.4. Any ideas why we are seeing this difference?
Thanks,
William
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.